Pages

Tuesday, October 25, 2005

Sleuthkit on Windows

Hey, guess what I did last night!! I installed Sleuthkit and Autopsy on Windows XP!

For you Linux and *BSD gurus who felt a nauseating disturbance in the Force...it wasn't that burrito you had...it was me!

Okay, okay...it wasn't just me...I had help.

When I'm working with things on my home systems and looking at forensic analysis, I like to use ProDiscover to grab a dd image of a VMWare session, my thumb drive, etc. As it turns out, I had a 5GB image of an XP Pro system, so I copied that over to the evidence locker and fired up Autopsy. I didn't run completely through many of the things that I could have done, because it would take some time to do so...but as far as the things I did try, they worked great.

Don't have an image of your own to play with? Well, the instructions for installing Sleuthkit and Autopsy on Windows also has instructions for how to image a floppy drive...so, you can entertain and amaze your friends by recovering deleted files! Or, you can go to the Digitial Forensics Tool Testing site and grab an image or two to work with.

My hat's off to Brian Carrier, for having created these tools.

4 comments:

  1. Anonymous9:35 AM

    Yes they are pretty slick. Are you using them in the Cygwin environment or running them from a command prompt. If you want to run them from a command prompt then just make sure the directory with the following files is in your path and you are on your way to using the sleuthkit from a command prompt (cygwin1.dll and cygz.dll).

    ReplyDelete
  2. Anonymous1:08 AM

    -gasp- Thats almost as bad as when I put the linen executable on the Smart boot cd.

    ReplyDelete
  3. Anonymous12:34 AM

    so...where is the instructions to run Autopsy and Sleuthkit in Windows XP? You said that you did it...but don' explain how! please, post how to do it, or send it to me to jlalvarezmedina@gmail.com. Thanks a lot!!!

    ReplyDelete
  4. Anonymous5:38 AM

    If you go to http://www.sleuthkit.org/sleuthkit/download.php, you'll see the words "Windows Executables".

    Hope that helps.

    ReplyDelete